ClawHub

SEC Watcher

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says by fetching public SEC filings, but it mixes real results with unsupported promotional intelligence claims that users could mistake for actual analysis.

Install only if you want a lightweight, on-demand SEC EDGAR filing fetcher and are comfortable with your company/ticker searches being sent to sec.gov. Treat the Signal Report preview, pattern detection, and cross-source analysis language as advertising, not as evidence produced by this skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill advertises real-time SEC monitoring and filing intelligence, but the documented behavior is a manual fetch script with embedded marketing, upgrade prompts, and claims about intelligence features not implemented by the skill. This can mislead users into overtrusting the coverage, timeliness, and analytic rigor of the output, which is particularly risky in a financial/regulatory context where users may act on incomplete or promotional information.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The JSON output advertises 'cross-source pattern analysis' and subscriber-only capabilities that are not implemented anywhere in this script, which only queries SEC EDGAR. This is a deceptive capability claim that can mislead downstream agents or users into trusting fabricated enrichment, creating integrity and decision-making risk rather than direct code-execution risk.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The console output presents speculative 'sample insight,' 'pattern detection,' and Pro-only intelligence messaging as if the tool has identified cross-source correlations, even though the script only fetches and formats SEC filings. In an agent skill context, this is more dangerous because other components or users may treat these statements as evidence-based intelligence, leading to false conclusions or inappropriate actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal